high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | October 2005 (3.98) |
| Protection available since | 7 September 2005 06:24:39 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Certif-G is a password stealing Trojan for the Windows platform.
Troj/Certif-G monitors system activity and collects user credentials typed into the windows of various online banking applications. This information is stored in files created by the Trojan with a .txt or .aes extension within the <Windows>\msjava32 folder which is also created by the Trojan.
The Trojan may attempt to scan the computer for all files with a .crt or .key extension, copying them to the <Windows>\msjava32 folder.
When first run Troj/Certif-G copies itself to <System>\dxdiags.exe and creates the following files:
<Windows>\msjava32\<user>.txt - this file may be deleted.
where <user> is the name of the user of the infected computer.
Troj/Certif-G will attempt to remove the following files along with any associated registry entries:
bluetooth.exe
dxdiag32.exe
dxdiags.exe
mailman.exe
msdirect.exe
msn_explorer.exe
terraxp.exe
Troj/Certif-G will attempt to download and execute a file from a predefined URL via http. Stolen information will be uploaded to a predefined URL via ftp.
The Trojan contains screen capturing functionality.
The following registry entry is created to run dxdiags.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dxdiags.exe
<System>\dxdiags.exe
Troj/Certif-G creates the following registry entries:
HKLM\SOFTWARE
nm
1
|
